Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Vista Security Claims Not All They Appear

Microsoft employee Jeff R Jones (Security Strategy Director) recently released a report claiming that Windows Vista is significantly more secure than competing operating system platforms.

After being released to CSO Online, the news was picked up and repeated by many sites, but not many stopped to analyse the information actually being put forward in the paper. Some sites, such as Slashdot, saw heated discussion about the methodology used and conclusions presented in the report, but overall most people accepted the report at face value.

Now that more people have had the opportunity to dig deeper through the report, more claims are being put forward that the report presents the wrong conclusions and is using flawed methodology.

The first warning sign for many is the fact that a paper written by a Microsoft employee places Microsoft in an advantageous position. While parochialism should be supressed by professionalism, it does lead to concerns about bias.

Parochialism aside, the biggest problem that most observers are having with the published article is that the author has interpreted the available data sources in a very constrained manner that is not consistent for all of the considered platforms.

Windows Vista certainly has had fewer vulnerabilities publicly reported and patched by Microsoft, but it has only been available for a few months. Of concern to researchers is the number of critical vulnerabilities that are due to buffer overflows and those derived from old code. Technology such as ASLR was supposed to neutralise the majority of these vulnerabilities.

The report skips 'silently fixed' issues, which Microsoft did not publicly acknowledge as existing. It also covers bundled software when considering other operating systems, such as RHEL 4, which are provided with numerous database, mail, and web servers, along with a host of other applications that the base Windows installations do not come with.

With the continuing trend of the same vulnerabilities being found on Vista as on other systems, some are seeing it as a reason NOT to upgrade to Vista (or at least not until SP1). Consumers and businesses are continuing to push for the ongoing sale of Windows XP, and there are concerns from some quarters that Microsoft may have painted itself into a corner with Vista.

It appears that Microsoft's big push to rewrite the core system with security in mind hasn't quite achieved the goals that were set (ASLR can be defeated reliably, as well). This, and the response to the recent report is quite disappointing, especially as Microsoft really has improved their stance on security and development practices in recent years.

29 June 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.